Attack simulation training, Credential Harvest - flag real login credentials

I have known users who were suspicious and deliberately typed wrong credentials to see what would happen. Of course, that is not a good idea if the intention is a malware drop rather than a credential phish, and they are also assuming that they can distinguish between a genuine "wrong password" response and a phishing engine that composes an excuse or simply does not respond once the data is stolen.